add auditd docs
This commit is contained in:
parent
c3e200aa04
commit
ff8227414c
13
services/nftables/audit-framework/audit.md
Normal file
13
services/nftables/audit-framework/audit.md
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
# Audit Framework
|
||||||
|
|
||||||
|
## Kernel
|
||||||
|
|
||||||
|
To ensure that all process which may have started before `auditd` are marked as auditable use boot time kernel param `audit=1`.
|
||||||
|
|
||||||
|
## Userspace
|
||||||
|
|
||||||
|
* Install the `audit` package, enable and start the `auditd.service`.
|
||||||
|
* The config file is `auditd.conf`.
|
||||||
|
* The rules are defined in `/etc/audit/audit.rules`.
|
||||||
|
* `auditctl` can be used to edit rules on the fly.
|
||||||
|
* `ausearch` and `aureport` are used to summarize and view data.
|
Reference in New Issue
Block a user